Automatic client certificates when creating users in vpn-admin.php
==================================================================

1) Install Easy-RSA on THIS server (example Ubuntu):
     sudo apt install easy-rsa

2) One-time PKI — automated script (from this repo on the server):
     sudo bash /var/www/html/wordpress6/wordpress/EP/openvpn-pki/init-easy-rsa-pki.sh
   Or with a custom CA name:
     sudo EASYRSA_CA_CN="My Company CA" bash .../init-easy-rsa-pki.sh
   Or manual steps (SSH as root; not via PHP):
     cd /var/lib/easy-rsa
     ./easyrsa init-pki
     ./easyrsa build-ca nopass
   Create the VPN *server* cert on the OpenVPN server machine as usual (not covered here).

3) Let the web user run easyrsa and write to pki/ (adjust paths):
     sudo chown -R www-data:www-data /var/lib/easy-rsa
   Or add www-data to a group that owns the directory.

4) Tell PHP where Easy-RSA lives (FCGI needs PHP-FPM env; Apache SetEnv alone is not enough):
   Run the installer (uses /opt/easy-rsa by default; override with VPN_EASYRSA_DIR=...):
     sudo bash /var/www/html/wordpress6/wordpress/EP/openvpn-pki/install-vpn-env.sh
   Or manually add to /etc/php/8.2/fpm/pool.d/scala4.conf:
     env[VPN_EASYRSA_DIR] = /opt/easy-rsa
   Then: sudo systemctl reload php8.2-fpm apache2

5) Optional: also set VPN_PKI_DIR explicitly to the same pki folder.
   If you only set VPN_EASYRSA_DIR, the app uses {VPN_EASYRSA_DIR}/pki automatically
   for embedding certs into .ovpn downloads.

6) Usernames for new VPN users must match Easy-RSA names: [a-zA-Z0-9._-]+ only
   when VPN_EASYRSA_DIR is set.

Revoking a user: use ./easyrsa revoke NAME; ./easyrsa gen-crl on the server, and
update OpenVPN server to use the CRL — not automated by this web app.